GKE Cluster Setup

This guide provisions a production-grade GKE cluster using DevOpsGenie's Terraform Google provider modules.

1. VPC & Subnets

terraform/environments/production/gcp-network.tf
resource "google_compute_network" "main" {
  name                    = "devopsgenie-production"
  auto_create_subnetworks = false
  project                 = var.project_id
}

resource "google_compute_subnetwork" "gke" {
  name          = "gke-subnet"
  ip_cidr_range = "10.100.0.0/20"
  region        = var.region
  network       = google_compute_network.main.id
  project       = var.project_id

  # Secondary ranges for pods and services (VPC-native)
  secondary_ip_range {
    range_name    = "pods"
    ip_cidr_range = "10.200.0.0/14"
  }

  secondary_ip_range {
    range_name    = "services"
    ip_cidr_range = "10.204.0.0/20"
  }

  # Enable Private Google Access for nodes without public IPs
  private_ip_google_access = true
}

2. GKE Standard Cluster

terraform/environments/production/gke.tf
resource "google_container_cluster" "main" {
  name     = "devopsgenie-production"
  location = var.region   # regional cluster = HA control plane across 3 zones
  project  = var.project_id

  # Remove default node pool; we manage node pools separately
  remove_default_node_pool = true
  initial_node_count       = 1

  network    = google_compute_network.main.name
  subnetwork = google_compute_subnetwork.gke.name

  # VPC-native networking (alias IPs)
  ip_allocation_policy {
    cluster_secondary_range_name  = "pods"
    services_secondary_range_name = "services"
  }

  # Enable Workload Identity
  workload_identity_config {
    workload_pool = "${var.project_id}.svc.id.goog"
  }

  # Private cluster — no public node IPs
  private_cluster_config {
    enable_private_nodes    = true
    enable_private_endpoint = false
    master_ipv4_cidr_block  = "172.16.0.0/28"
  }

  master_authorized_networks_config {
    cidr_blocks {
      cidr_block   = "10.0.0.0/8"
      display_name = "internal-networks"
    }
  }

  # Binary Authorization (optional — enforce signed images)
  binary_authorization {
    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
  }

  # Enable GKE managed add-ons
  addons_config {
    http_load_balancing { disabled = false }
    horizontal_pod_autoscaling { disabled = false }
    gce_persistent_disk_csi_driver_config { enabled = true }
    gcs_fuse_csi_driver_config { enabled = true }
  }

  release_channel {
    channel = "REGULAR"
  }

  maintenance_policy {
    recurring_window {
      start_time = "2024-01-01T02:00:00Z"
      end_time   = "2024-01-01T06:00:00Z"
      recurrence = "FREQ=WEEKLY;BYDAY=SA,SU"
    }
  }
}

# System node pool — runs platform add-ons
resource "google_container_node_pool" "system" {
  name       = "system"
  cluster    = google_container_cluster.main.name
  location   = var.region
  project    = var.project_id
  node_count = 1

  autoscaling {
    min_node_count = 2
    max_node_count = 5
  }

  node_config {
    machine_type = "n2-standard-4"
    disk_size_gb = 100
    disk_type    = "pd-ssd"
    image_type   = "COS_CONTAINERD"

    # Enable Workload Identity on nodes
    workload_metadata_config { mode = "GKE_METADATA" }

    oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

    labels = { role = "system" }
    taint {
      key    = "CriticalAddonsOnly"
      value  = "true"
      effect = "NO_SCHEDULE"
    }

    shielded_instance_config {
      enable_secure_boot          = true
      enable_integrity_monitoring = true
    }
  }
}

# Workload node pool
resource "google_container_node_pool" "workloads" {
  name     = "workloads"
  cluster  = google_container_cluster.main.name
  location = var.region
  project  = var.project_id

  autoscaling {
    min_node_count = 3
    max_node_count = 30
  }

  node_config {
    machine_type = "n2-standard-8"
    disk_size_gb = 100
    disk_type    = "pd-ssd"
    image_type   = "COS_CONTAINERD"
    spot         = true   # use Spot VMs for cost savings

    workload_metadata_config { mode = "GKE_METADATA" }
    oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

    labels = { role = "workloads" }

    shielded_instance_config {
      enable_secure_boot          = true
      enable_integrity_monitoring = true
    }
  }
}

3. Artifact Registry

terraform/environments/production/artifact-registry.tf
resource "google_artifact_registry_repository" "main" {
  repository_id = "devopsgenie"
  location      = var.region
  format        = "DOCKER"
  project       = var.project_id

  description = "DevOpsGenie production container images"
}

4. Apply & Connect

cd terraform/environments/production

terraform init
terraform plan -out=tfplan
terraform apply tfplan

# Get credentials
gcloud container clusters get-credentials devopsgenie-production \
  --region us-central1 \
  --project devopsgenie-production

kubectl get nodes

5. Install Platform Stack

devopsgenie platform install \
  --provider gcp \
  --cluster devopsgenie-production \
  --region us-central1 \
  --project devopsgenie-production

1. VPC & Subnets​

2. GKE Standard Cluster​

3. Artifact Registry​

4. Apply & Connect​

5. Install Platform Stack​

1. VPC & Subnets

2. GKE Standard Cluster

3. Artifact Registry

4. Apply & Connect

5. Install Platform Stack